Dell OpenManage Network Manager exposes a MySQL listener that can be accessed with default credentials (CVE-2018-15768). This MySQL service is running as the root user, so an attacker can exploit this configuration to, e.g., deploy a backdoor and escalate privileges into the root account (CVE-2018-15767).

3. Technical Description

The appliance binds on 3306/mysql using the 0.0.0.0 IP address. The default IPTables policy is ACCEPT and the rule table is empty. Using any of three default accounts, a malicious user can exploit native MySQL functionality to place a JSP shell into the directory of a web server on the file system and subsequently make calls into it.

4. Mitigation and Remediation Recommendation

The vendor informed KoreLogic that all default passwords can be changed and are documented in the OpenManage Network Manager Installation Guide. Dell recommends all customers change these default passwords upon installation.

The vendor has addressed these vulnerabilities in version 6.5.3. Release notes and download instructions can be found at:

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

6. Disclosure Timeline

2018.02.16 - KoreLogic submits vulnerability details to Dell. 2018.02.16 - Dell acknowledges receipt. 2018.04.02 - Dell informs KoreLogic that a rememdiation plan is in place and requests approximately two months continued embargo on the vulnerability details. 2018.04.23 - 45 business days have elapsed since the vulnerability was reported to Dell. 2018.05.14 - 60 business days have elapsed since the vulnerability was reported to Dell. 2018.06.05 - 75 business days have elapsed since the vulnerability was reported to Dell. 2018.06.11 - Dell informs KoreLogic that the patched version has been released and asks that the KoreLogic advisory remain unpublished until 2018.06.22. 2018.06.21 - Dell requests additional time to coordinate changes to the MySQL implementation, noting that this driver is provided by and upstream vendor. 2018.07.11 - 100 business days have elapsed since the vulnerability was reported to Dell. 2018.07.16 - Dell informs KoreLogic that the remediations are targeted for version 6.5.3, slated for a September release. 2018.08.08 - 120 business days have elapsed since the vulnerability was reported to Dell. 2018.09.20 - 150 business days have elapsed since the vulnerability was reported to Dell. 2018.10.03 - Dell informs KoreLogic that version 6.5.3 is scheduled to be released 2018.10.08. 2018.10.11 - Dell and KoreLogic begin mutual review of disclosure statements. 2018.11.02 - Dell issues public advisory- https://www.dell.com/support/article/us/en/19/sln314610; 180 business days have elapsed since the vulnerability was reported to Dell. 2018.11.05 - KoreLogic Disclosure.

The contents of this advisory are copyright(c) 2018KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt